Ormandy's target this time was Symantec. He found several remote code execution vulnerabilities, including one in the core scanning engine used in all Symantec and Norton-branded products. The problem is so severe that even a single email engineered to exploit the flaw could compromise a computer, depending on the platform.

"Just receiving an email is enough, no need to open or read it (even webmail, so long as the tab is open)," Ormandy wrote on Twitter.

Symantec said Monday in an advisory that it had issued a fix for the flaw - designated CVE-2016-2208 - through its LiveUpdate service. The up-to-date version of its anti-virus engine is "20151.1.1.4." Other issues found by Ormandy, however, can't be fixed by LiveUpdate and will require a separate update. A Symantec spokeswoman says the company is working on those issues.

Ormandy's findings were met with surprise, even by computer security pros used to seeing the worst. "A securely configured PC/Mac (no Flash, disabled Office macros, fully patched) is hackable simply by having anti-virus scan inbound mail?!," wrote Kenn White, a security researcher and co-director of the Open Crypto Audit Project.

So, why are anti-virus programs so attractive a target for hackers? To work effectively - and detect malicious activity - the applications require deep access into a computer's operating system. On Windows, Symantec's scanning engine is loaded into the kernel, which is the core code inside the operating system. Successful use of Ormandy's scanning engine bug on Windows causes a memory corruption issue within the kernel and could allow remote attackers to seize full control of some systems.

"This is about as bad as it can possibly get," Ormandy writes in his advisory. The result on Windows is the "blue screen of death." On Linux, Unix and Mac OS X, the successful exploitation of the remote heap overflow problem can give an attacker root access to the system.

Ormandy couldn't be reached for comment. Since last year, Ormandy has found more than 45 flaws within security products from vendors such as Kaspersky Lab, ESET, FireEye, Avira and Sophos.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.